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Abstract 



Shannon [111 [T^ in celebrated works had shown that n bits of shared key is necessary 
and sufhcient to transmit n-bit classical information in an information-theoretically secure 
way. Ambainis, Mosca, Tapp and de Wolf in 1 considered a more general setting, referred 
to as Private quantum channels, in which instead of classical information, quantum states 
are required to be transmitted and only one-way communication is allowed. They show 
that in this case 2n bits of shared key is necessary and sufficient to transmit an n-qubit 
state. We consider the most general setting in which we allow for all possible combinations 
i.e. we let the input to be transmitted, the message sent and the shared resources to 
be classical/quantum. We develop a general framework by which we are able to show 
simultaneously tight bounds on communication/shared resources in all of these cases and 
this includes the results of Shannon and Ambainis et al. 

As a consequence of our arguments we also show that in a one-way oblivious Remote 
state preparation protocol for transferring an ri-qubit pure state, the entropy of the com- 
munication must be 2n and the entanglement measure of the shared resource must be 
n. This generalizes on the result of Leung and Shor 6 which shows same bound on the 
length of communication in the special case when the shared resource is maximally en- 
tangled e.g. EPR pairs and hence settles an open question asked in their paper regarding 
protocols without maximally entangled shared resource. 

Key words: privacy, quantum channels, entropy, strong sub-additivity, remote state prepa- 
ration, substate theorem. 



1 Introduction 

Suppose Alice is required to transmit an n-bit input string to Bob in an information theoret- 
ically secure way, i.e. without leaking any information about her input to an eavesdropper 
Eve who has complete access to the channel between her and Bob. Shannon in I12j had 
shown that using n bits of shared key and by using one-time pad scheme Alice and Bob can 
accomplish this. He further showed that n bits of shared key are also required by any other 
scheme which accomplishes the same. Ambainis, Mosca, Tapp and de Wolf ,1^ considered a 
generalization of this question in which instead of classical input, Alice has quantum input 
and only one way of quantum communication between Alice to Bob is allowed. They referred 
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to this setting as Private quantum channels (PQCs). They showed that in this case the 
requirement of shared key increases. Their main result was: 

Theorem 1.1 2n bits of shared key are necessary and sufficient to transmit any n-qubit 
quantum state in an information-theoretically secure way. 

We further generalize the setting by letting the shared resource between Alice and Bob 
to be quantum. A natural generalization of classical shared keys in the context of quantum 
communication protocols is a pure quantum state |^)^^ shared between Alice and Bob. This 
is referred to as shared entanglement or simply entanglement. We consider private quantum 
channels that use entanglement between Alice and Bob to achieve security, and in order to 
distinguish them from PQCs which use classical shared keys, we call them PQCEs. We 
formally define a PQCE as follows. 

Definition 1.2 Let S be a subset of pure n-qubit states. Let |^)"^^ be a bi-partite pure state 
shared between Alice and Bob and let p be a quantum state. 

1. Alice's operations: Alice gets an input pure state \(f)) G S. Alice's operation consists of 
attaching a few ancilla qubits in the state |0) to her input and her part of the bi-partite 
state . She then performs a unitary transformation on the combined quantum 
system of all her qubits and sends a subset of the resulting qubits to Bob. Let A represent 
Alice's operations. Let for the input \(f)) represent the (encoded) quantum state 
of the qubits sent to Bob. We have the following security requirement that V|0) G 

s,£m = p. 

2. Bob's operations: Bob on receiving the quantum message from Alice attaches a few 
ancilla qubits in the state |0) to the combined system of the received message and his 
part of the bi-partite state . He then performs a unitary transformation on the 
combined system of all her qubits and outputs a subset of the resulting qubits. Let B 
represent Bob's operations. Let for input state \(j)) to Alice the final (decoded) output 
of Bob be represented by V{\(f))). We have the following correctness requirement that 
V|0) g5,P(|0)) = |,^)(,^|. 

Then [S.,A,B., , p\ is called a private quantum channel with entanglement (T*QCEj. 

Note: 

1. From our description the mapping £ : \(p) i— > i?(|(/>)) (and extended by linearity to mixed 
states) from Alice's input to her message, forms a quantum operation (see Section |21 
for definition) since it is a composition of quantum operations, like attaching a fixed 
ancilla, performing unitary transformation and tracing out a subsystem. 

2. In the above definition of a PQCE, if we replace the bi-partite shared pure state lip)^^ 
with shared random strings between Alice and Bob, we get a PQC. We represent a 
PQC by [S, A, B, P, p], where P is the distribution of the shared random strings between 
Alice and Bob. 

3. In the authors have made a comment that in the case of PQCs, without loss of 
generality, Alice's operations can be thought of as the following. On receiving the input 
she attaches a fixed mixed state ancilla p to it, applies a unitary Ui depending on 
the shared random string i on the combined system of the input and the ancilla and 
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sends the resulting qubits to Bob. Please note that we do not make such an 
assumption here which in any case does not apply for PQCE's. Also it is clear 
from the above definition that for both PQC's and PQCE's, the operations of Alice 
and Bob are as general as possible. 

4. A PQCE/PQC for S is also PQCE/PQC respectively for S which is the closure of 
S under convex combinations. 

PQCEs were also considered by Leung jBj by the name of Quantum Vernam Cipher who 
considered issues like security of key recycling and reliability of message transfer. In this paper 
we are primarily concerned with bounds on communication and entanglement requirements 
of PQCEs. We consider the following measures of our various resources: 

Definition 1.3 • Measure of communication: For a PQC [S,A,B,P,p\ and aPQCE 
[S,A,B, ,p], we let the measure of communication to be S{p). When we say that 

it requires 'n (qu)bits of communication' we mean S{p) = n. 

• Measure of entanglement: For a bi-partite pure state lil))^^ , consider its Schmidt 
decomposition, I'i/')^^ = J2i=i V^lo^i) ^ where {\ai)} is an orthonormal set and so 
is {\bi)}, Aj > and J2i = 1- '^^^ measure of entanglement of is defined to 

be E{\iP)^^) = -^.AilogAi. For a PQCE [S , A, B , {t/;)^^ , p] , we let the measure of 
entanglement to be Edt/j)"^^). When we say that it requires n ebits of entanglement we 
mean E{\ip)^^) = n. 

• Measure of shared randomness: For a PQC [S,A,B,P,p], we let the measure of 
shared randomness be S{P). When we say that it requires n bits of shared randomness 
we mean S{P) = n. 

We consider all possible cases i.e. when the input to Alice, the message sent by Alice 
and the shared resource between Alice and Bob is either classical or quantum. We develop a 
general argument by which we are able to show tight bounds simultaneously on communication 
and shared resource usage in all the above cases. Following is a compilation of all the results 
we obtain due to our analysis. Below when we say the "x,y,z" case (e.g. classical, quantum, 
classical case) we mean, Alice gets n-(qu)bits of x input, the communication is y and the 
shared resource is z. 

Result 1.4 1. In the classical, classical, classical case, n bits of communication andn bits 
of shared key is required. The one-time pad scheme hence is simultaneously optimal in 
both communication and shared key usage. This is basically Shannon's result 

2. In the classical, quantum, classical case, n qubits of communication and n bits of shared 
key is required. Hence here again simultaneously optimal upper bound is achieved by the 
one-time pad scheme. 

3. In the classical, classical, quantum case, n bits of communication and n ebits of entan- 
glement is required. Hence here again simultaneously optimal upper bound is achieved 
by the one-time pad scheme. 

4. In the classical, quantum, quantum case, n/2 qubits of communication and n/2 ebits 
of entanglement is required. The simultaneously optimal upper bound here is achieved 
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by the standard protocol for super-dense coding f3l \1U^ which is a PQCE. In it, Alice 
transfers n bits of classical input in an information-theoretically secure manner to Bob 
using n/2 qubits of communication and n/2 — EPR pairs '10] shared between them. In 
this case the message of Alice is always in the maximally mixed state independent of 
her input. 

5. The quantum, classical, classical case is impossible with finite communication. 

6. In the quantum, quantum, classical case, n qubits of communication and 2n bits of shared 
key is required. This is the main result of Ambainis et al. 0]/. In the same paper they have 
exhibited a PQC which transfers an n-qubit state with n-qubits of communication and 2n 
bits of shared randomness and is therefore simultaneously optimal in both communication 
and shared randomness. 

7. In the quantum, classical, quantum case, 2n bits of communication and n ebits of entan- 
glement is required. Here the simultaneously optimal scheme is the standard protocol for 
teleportation ^[IJJ^ which is a PQCE (pointed to us by de Wolf in personal communica- 
tion). In this protocol Alice can transfer n-qubits to Bob in an information theoretically 
secure way by using 2n bits of communication and using n — EPR pairs between them. 
In this case the message of Alice always has uniform distribution independent of her 
input. 

8. In the quantum, quantum, quantum case, n qubits of communication and n ebits of 
entanglement is required. In this case simultaneously optimal upper bound is achieved 
by a scheme using (2,3) quantum secret sharing scheme by Cleve, Gottesman and Lo /^/. 
(This scheme was pointed by to us by Nayak who in turn was pointed to by Gottesman). 

We also present a consequence of our results to one-way, oblivious, remote state prepa- 
ration (RSP) protocols. In an RSP protocol between Alice and Bob, Alice is required to 
transport a known quantum state \(f)) in n-qubits to Bob using classical communication and 
some shared entanglement. An RSP is called oblivious if at the end of the protocol. Bob 
gets a copy of Alice's input {(p) and rest of his qubits are independent of Leung and 
Shor jni have shown that for one-way oblivious RSPs, if Alice and Bob start with maximally 
entangled state then the worst case communication required by them is 2n. We generalize on 
their result to provide bounds for all one-way oblivious RSP protocols independent of which 
shared pure state they start with. We prove that for any one-way oblivious RSP protocol, 
the entropy of communication is at least 2n and the entanglement measure of the shared pure 
state is at least n. Therefore again teleportation achieves both these bounds simultaneously. 

Finally we discuss two-way multiple round PQCs (MPQCs) and PQCEs (MPQCEs). 
We show that an MPQC which can transfer an n-qubit state must use n-bits of classical 
shared keys. Also an MPQCE which can transfer an n-qubit state must use Q{n) ebits of 
entanglement. Hence there is not much saving even when multiple rounds are allowed. 

2 Organization of the paper 

In the next section we make a few definitions and state a few facts which we will be using 
later in our proofs. In Section 0] we present the proofs of all the parts of Result 11.41 In 
subsection 14.11 we discuss our result for one-way oblivious RSPs. In Section [3 we discuss 
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two-way multiple round private quantum channels and finally conclude with a few remarks 
in Sectional 



3 Preliminaries 

Let TLk represent the Hilbert space of dimension k. Let Ck represent the set of quantum 
states corresponding to the standard basis of W^, also referred to as the classical states. Let 
Ik represent the identity transformation in a /c dimensional space. For an operator A let 
^ > represent that ^ is a positive semi-definite operator. By a quantum operation we 
mean a linear, completely positive, trace-preserving operation. Let /C be Hilbert spaces. 
For a state p G /C, we call a pure state G W /C, a purification of p if 'Tr-}i\(j)) = p. 



x{= xiX2 ■ ■ ■ Xn) G {0, 1, 2, 3}" in the natural way by pairing up the bits from left to right. 
Let ax = c^i ® CTx2 • • • ® c^xn- Let an EPR pair mean the state |EPR) = -^(lOO) + |11)). For 
s G {0, 1,2,3}, the states {ag <^ /)|EPR) are referred to as the four Bell states. Please note 
that all the four Bell states are orthogonal to each other. 

For a quantum state p with eigenvalues A, its von-Neumann entropy is defined as S{p) = 
— Xi log Aj. Given a joint quantum system AB, the mutual information between them is 

defined as I {A : B) = S{A) + S{B) — S{AB). Relative entropy between two states p and a is 

defined as S{p\a) = Trp(log/9 — logfi). We require the following properties of von-Neumann 
entropy, relative entropy and mutual information. Please refer to |lUj for a good introduction 
to quantum information theory. 

Fact 3.1 1. S{A) + S{B) — S{AB) > 0. This is called as sub-additivity property of von- 
Neumann entropy. This implies I{A : B) >0. 

2. S{ABC) + S{A) < S{AB) + S{AC). This is called the strong sub-additivity property. 
This implies I{£{A) : B) < I{A : B), where £ is a quantum operation. 

3. We have the following chain rule of mutual-information, I[A : BC) = I{A : B)+I[AB : 
C) — I{B : C), which follows easily from definition. 

4. S{AB) > \S{A) — S{B)\. This is called as Araki-Lieb inequality. 

5. Given a bi-partite system p^^ , I{A : B) = S{p^^\p'^ ® p^), where p^,p^ are the states 
of the systems A and B respectively. 

6. Given a joint system AB with A being a classical system, S{AB) > max{S (A) , S (B)} . 
We will need the following theorem. 

Theorem 3.2 (Local transition theorem [9", 'T^'S^) Let JC,7{ be Hilbert spaces. Let p be 
a quantum state in /C. Let and |02) be two purification of p inJi® fC. Then there is a 
local unitary transformation U acting on TC such that (U (8) L)\(pi) = \(j)2)- 



Let us represent the four Pauli operators in the standard 





Let us identify a state in C2271 as a string 
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We will also need the following Substate theorem from [3]. 
Fact 3.3 Let p,a be quantum state. If S{p\a) < k then, 

- > 
20(fc) - 

where Tr\p' — p\ < 0.1. 

4 Resource bounds 

We first derive a few lemmas which will finally lead us to our results. In it is shown that a 
PQC which can transmit n-qubit quantum states can be converted into a PQC which uses 
the same amount of shared classical randomness to transmit any 2n bit classical state. We 
show a similar thing for PQCE's. Following lemma states the same. 

Lemma 4.1 If there exists a PQCE, [H2",A,B,\-ilj^^),p] then there exists a PQCE, 
[C22n,^',i3', |V'^^),/2" ® p] which uses the same bi-partite state as the shared entanglement 
between Alice and Bob and uses extra n-qubits of communication. 

In order to prove this lemma we first prove here another lemma which is very similar to 
a lemma from 

Lemma 4.2 Let 7i,IC be Hilbert spaces. Let £ be a quantum operation acting on 7i such 
that\/\(j)) £ Ti.,£{\(l)){(j)\) = p. Let , \(j)2) £ Ti be two orthogonal states, then £ {(j)2\) = 

£{\(l>2){<Pl\)=0. 

Proof: We note the following: 

p = £m{^^\) = £{\^2){H) (1) 

p = £:(^(|./>i) + |</'2))((./'i| + (</'2|) (2) 

p = £(^{\cp,)+i\^2)mi\-i{<p2\) (3) 

Now (1) and (2) imply £ {{(P,) {<P2\) + £ {{^2) (M) = and (1) and (3) imply £ {hi) - 
£{\(^2){(pi\) = 0. Together the two imply ^ (|</.i)(02|) = ^(|02)(<^i|) = 0. ■ 

We get the following corollary of the above lemma: 

Corollary 4.3 Let 7i,IC be Hilbert spaces. Let £ be a quantum operation acting on 7i such 
thaty\(t>) e n,£{\(p){(p\) = p. Then'i\iP) G K ®n,{I ® £){\'^){tp\) = (Tr7^|V')(^|) p. This 
also means that for all mixed states a £ fC iSiTi., {I <E> £)(t = (Tr-^fi) (8) p. 

Proof: Let |^) = ^/Xi\ai) be as written in the Schmidt decomposition form. Then, 

= {I®£){Y,V\^a,)®\b,)){Y^^,{aj\(i^{b,\) 

i j 

= y^(/ £)y/x'iy^\ai){aj\ (g) \bi){bj\ 
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= '^^/x'^^/Xj\ai){aj\0 £{\bi){bj\) 
= ^Xi\a,){ai\^£{\bi){bi\) 

i 

= (y^^ Xi\ai) {ai\) p 

i 

= Tr7^|V')(V'l) ®P 

■ 

Proof: (Lemma mU) In the PQCE, ^32. , S',]^^^), ® p], let x £ {0,1,2,3^ corre- 
spond to the input state. Ahce prepares n EPR pairs and apphes the unitary ax on combined 
system of the first qubits of each pair. She then encrypts the combined system of the second 
qubits of each pair using £, the encryption operation of the PQCE, [7i2",A,B, \il)^^),p]. She 
now sends aU the resulting qubits to Bob. Prom above corollary, we can see that the state of 
the message of this new PQCE will be I2" p for all inputs in C22n . The decryption operation 
B' of Bob now corresponds to first decrypting the second half of the received qubits using B 
and then recovering the input classical state by making measurements on the n-Bell states. ■ 
Below we show a similar lemma which implies that a PQC/PQCE which transmits any 
n-qubit quantum state can be converted into a PQC/PQCE which uses the same commu- 
nication and extra n ebits of entanglement to transmit any 2n bit classical state. We show 
the proof for PQCEs and a similar proof holds for PQCs as well. 

Lemma 4.4 If there exists a PQCE, [H2"-,A,B,\\l)^^),p] then there exists a PQCE, 
[C2'2n,A',B',\ip^^) (^^^^^^^)®"', /o] which uses the same communication and extra n-EPR 
pairs. 

Proof: In [C22^,A',B',\ij^^) (^^^^^)®", p], let x E {0,1,2,3}" correspond to the in- 
put state. Alice applies ax to her part of the extra n-EPR pairs, encodes them using 
the encoding procedure of the earlier PQCE [7i2",A,B,\ip'^^),p], and sends the resulting 
qubits to Bob. The security property of [H2" , A, Bjlip^^) , p] implies the security property 
of [C22n,A',B',\'il;^^) (g) ( |00Hii) )can^p]_ Qu receiving Alice's message. Bob first applies the 

decoding procedure of [H2",A,B, \%l^^^),p], and recovers x by making measurements on the 
n-Bell states. ■ 
We will need the following lemma. 

Lemma 4.5 Let ABX he a tripartite system. Then, 

1. S{AX) + S{BX) - S{ABX) - S{X) < min{25(yl), 2S{B)}. 

2. If AX is a classical system then we have the stronger inequality S{AX) + S{BX) — 
S{ABX) - S{X) < mm{S{A), S{B)}. 

3. I{A : B) < mm{2S{A),2S{B)}. 
Proof: 

1. 

S{AX) - S{ABX) + S{BX) - S{X) < S{AX) - S{ABX) + S{B) 

< S{B) + S{B) = 2S{B) 
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Above first inequality comes from part (1) and second inequality comes from part (4) 
of FactO Similarly we get S{AX) + S{BX) - S{ABX) - S{X) < 2S{A). 

2. 

S{AX) - S{ABX) + S{BX) - S{X) < S{BX) - S{X) < S{B) 

Above first inequality arises from part (6), since AX is a classical system, and the second 
inequality comes from part (1) of Fact 13.11 Again, since A is a classical system, we get 

S{AX) - S{X) + S{BX) - S{ABX) < S{AX) - S{X) < S{A) 

Above the first inequality comes from part (6) and the second inequality comes from 
part (1) of Fact O 

3. 

I{A : B) = S{A) + S{B) - S{AB) < S{A) + S{A) = 2S{A) 
The inequality above follows from part (4) of Fact 13.11 

■ 

We now have the following theorem. 
Theorem 4.6 If [C2^^,A,B,\ip'^^), p] is a PQCE then, 

1. S{a^) > n/2, where is the quantum state corresponding to Bob's part of\^l}^^). We 
note from definitions that S{a^) = Edip)^^). 

2. S{p) > n/2. 

Proof: Let X be a random variable which takes values in {1, 2, 2"} uniformly and through 
the PQCE Alice is able to communicate X to Bob. We can assume that the operations of 
Alice are safe on X which means that at the beginning Alice makes a copy of X (since it is a 
classical state) and then her subsequent operations do not touch the original copy of X. Let 
Ml be the quantum state corresponding to the message of Alice and let M2 be the quantum 
state corresponding to Bob's part of . Then from Fact 13. l| 

n = H{X) = I{V{X):X) = I{B{MlM2(E>\0){0\anc^aa)■.X) 

< /(MiAfa \0){0\ancma : X) = /(M1M2 : X) 
= /(Ml : X) + /(M2 : MiX) - /(Mi : M2) 

= /(Ml : X) + /(M2 : X) + /(M2X : Mi) - /(Mi : X) - /(Mi : M2) 

< + + /(M2X : Ml) - /(Ml : X) 

= S{M2X) + S{MiX) - S{MiM2X) - S{X) 

< min{25(M2),25(Mi)} 

Above, first inequality comes from part (2) of Fact 13.11 /(Mi : X) = because of the privacy 
property of the channel. /(M2 : X) = because they were independent to begin with and 
Alice's operations are safe on X. The last inequality follows from part (1) of Lemma 14.51 ■ 
We note in the proof of Theorem 14.61 due to part (2) of Lemma 14.51 that if either M2 is a 
classical system (as in a PQC) or if Mi is a classical system (when the message is classical), 
then we get n < min{S'(M2), S'(Mi)}. Therefore we have the following corollary: 
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Corollary 4.7 1. If [C2r^,A,B,P,p] is a PQC then, S{P) > n and S{p) > n. 

2. If [62^, A, B, P] is a PQCE with classical communication then, S{a) > n, where 

a is Bob's part of lip^^), and S{P) > n. 

We are now set to show various parts of Result 11.41 
Proof: 

1. Follows from part (1) of Corollary 14.71 

2. Follows from part (1) of Corollary 14.71 

3. Follows from part (2) of Corollary 14.71 

4. Follows from Theorem 14.61 

5. Follows from the fact that quantum states cannot be encoded as finite classical distri- 
butions and faithfully recovered. 

6. From PQC [n2^,A,B,P,p\, using Lemma lO we get a PQC [C22n,A',B',Pj2^ ® p\- 
Part (1) of Corollary 14.71 now implies S{P) > 2n. Lower bound on communication 
follows from the fact that a PQC for 7^2" is also a PQC for C2" and Part (1) of 
Corollary F71 

7. Lower bound on communication follows from Lemma 14.41 and Part (2) of Corollary 14.71 
Lower bound on entanglement follows from the fact that a PQCE for "^2" is also a 
PQCE for and Part (2) Corollary EH 

8. From [7^2",^,^, using LemmaOwe get a PQCE [C22n, fiMV'^^), /2" 
Theorem 14.61 now implies > n. Similarly lower bound on communication 
follows from the Lemma 14.41 and Theorem 14.61 



4.1 Consequence for one-way oblivious remote state preparation problem 

In a remote state preparation (RSP) protocol between Alice and Bob, Alice wants to trans- 
port a known n-qubit pure state to Bob using classical communication and shared prior 
entanglement. Such a protocol is called oblivious if at the end of the protocol, Bob gets a 
single copy of Alice's input \(j)) and other than that all his qubits are independent of |(/>). 

Let us consider an RSP protocol. Let p be Bob's part of the initial pure state shared 
between Alice and Bob. Let the state of the shared part of entanglement on Bob's side after 
receiving message m to be f}m ■ Since the protocol is oblivious, the probability with which a 
particular message m comes to Bob is independent of \(j)), which we denote by pm- Therefore 
we note YlmPmPrn = p for all |0) (since the entanglement part of Bob's qubits has not 
changed due to Alice's operations). 

Bob on receiving message m attaches ancilla |0) to her qubits and performs unitary Um to 
them. Again since the protocol is oblivious, her state at the end of the unitary is | </>)(</>! 0"^, 
where am is independent of \cj)). Using these properties we now construct a PQC between 
Alice and Bob. Let Alice and Bob share classical randomness between them in which m is 
appears with probability On shared string being tti, Alice attaches to \4>){(l)\, applies 
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Um and sends the resulting state pm ® |0)(0| to Bob. Now since YlmPmPm = P for all 
Alice's message is independent of |(?!)) and hence the privacy requirement is satisfied. Bob on 
receiving the quantum message applies Um to it and discards am- Therefore now from part 6 
of Result ^31 we get S{p) >n and —pm^ogpm > 2n. 

5 Multiple round private quantum channels 

When we consider two-way multiple round PQCs (denoted MPQC) or multiple round 
PQCEs (MPQCE), we note that keeping the privacy of individual messages cannot be 
the only criteria. For example let us consider a protocol in which in the first message Alice 
transfers EPR pairs followed by a junk message of Bob and then Alice transfers her quan- 
tum state privately using the earlier sent EPR pairs. In this protocol none of the individual 
messages give any information about the transfered state but it does not mean that Eve, who 
can access the channel in all rounds, cannot get any information about the transfered state. 

We therefore consider two possible definitions of MPQCs and MPQCEs. We define 
MPQCs and MPQCEs are similar with only shared randomness replaced by shared entan- 
glement. 

1. MPQCs without abort: In this case Alice and Bob never abort the protocol but 
satisfy the following: 

• Any interfering Eve gets no information about the input state of Alice. 

• If Eve is not interfering then the input state is faithfully transfered to Bob. 

2. MPQCs with abort: In this case Alice can abort the protocol any time but satisfy 
the following: 

• Before abort any interfering Eve gets no information about the input state of Alice. 

• If there is no abort then the input state is faithfully transfered to Bob. 

Remark: Consider an implementation of a private quantum channel in which Alice and Bob 
first use quantum key distribution (QED) protocols like BB84 for key generation and then 
use these keys to transfer quantum states privately. However it is not strictly an MPQC 
according to our definition, because current implementations of QEDs require the existence of 
a classical broadcast channel which is unjam able by Eve. Also such a protocol would not be 
perfectly secure and there would still be a small amount of information that Eve can obtain 
even in case Alice does not abort the protocol. 

Below we discuss the resource requirements of MPQCs and MPQCEs. The cheating 
strategies of Eve discussed below work in both type of protocols, with and without abort. 

Lemma 5.1 Let P be the distribution of the shared random strings between Alice and Bob 
in an MPQC for C2n. Then S{P) > n. 

Proof: Consider an attack of Eve where she starts acting like Bob. She guesses the random 
string which has highest probability, say p of occurring. The probability that her guessed 
string is equal to Alice's random string is at least p. In the event that she guesses Alice's 
random string correct, she gets to know Alice's input state faithfully at the end of the protocol 
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and Alice does not abort the protocol in this case. Hence from the security criterion, p < 2~". 
This implies S{a) > n. ■ 
We show a similar statement for MPQCEs. 

Lemma 5.2 Let be the prior shared pure state between Alice and Bob in an MPQCEs 

forC2". Let = |^/')(^/'|. Let and denote state of Alice's and Bob's parts respectively 
in a^^. Then E{\^)^^) = S{a^) = S{a^) = n{n). 

Proof: Let S{a^) = k. Similar to above, let us consider a cheating strategy of Eve in which 
she starts acting like Bob. She starts with the state in the register which holds Bob's part 
of the entanglement. Let Mi and M2 represent Alice and Bob's parts in a^^. Then, from 
Lemma 14.51 we get, 

S(a^^|fT^ ® a^) = /(Ml : M2) < 2S{aB) = 2k 
From substate theorem, 

where Jr\a'^^ - cj^^| < 0.1 

This implies that Eve with probability 2^^^^^^ gets the same state created with her when 
Alice and Bob start with a'^^ as the prior entangled state. Because Tr\a'^^ — a^^\ < 0.1, 
Alice's probability of abort < 0.1. Hence the state created with Eve will be the same as the 
input state of Alice with probability at least (0.8)2~*^('^) . Because of the security criterion 
(0.8)2-O('=) < 2-" ^ A: = n{n). ■ 



6 Conclusion 

We have considered private quantum channels with one-way communication of all possible 
kinds and in all the cases we have shown simultaneously optimal resource requirements. Even 
when we allow two-way communication but if Eve is allowed arbitrary access to the channel, 
we show that there is not much saving possible on prior entanglement/shared randomness. 
However, by allowing a classical broadcast channel between Alice and Bob, unjam able by Eve, 
saving is possible on prior entanglement/shared randomness by using QKD protocols. So is 
there a weaker assumption we can make for saving on prior entanglement /shared randomness? 

In connection with RSPs it will be interesting to show similar bounds on resources when 
we do not have the oblivious condition or for two-way multiple round (non)-oblivious proto- 
cols. 
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